@harperfast/oauth 1.2.1

package/dist/lib/config.js

@@ -0,0 +1,138 @@
+/**
+ * OAuth Configuration
+ *
+ * Provider configuration and initialization utilities
+ */
+import { OAuthProvider } from "./OAuthProvider.js";
+import { getProvider } from "./providers/index.js";
+/**
+ * Expand environment variable in a string value
+ *
+ * If the value is a string in the format `${VAR_NAME}`, it will be replaced
+ * with the value of the environment variable. Non-string values are returned unchanged.
+ *
+ * @example
+ * expandEnvVar('${MY_VAR}') // Returns process.env.MY_VAR or '${MY_VAR}' if undefined
+ * expandEnvVar('literal')   // Returns 'literal'
+ * expandEnvVar(123)         // Returns 123
+ * expandEnvVar(true)        // Returns true
+ */
+export function expandEnvVar(value) {
+    if (typeof value === 'string' && value.startsWith('${') && value.endsWith('}')) {
+        // Extract environment variable name
+        const envVar = value.slice(2, -1);
+        const envValue = process.env[envVar];
+        // Only use env value if it exists (even if empty string)
+        return envValue !== undefined ? envValue : value;
+    }
+    return value;
+}
+/**
+ * Build configuration for a specific provider
+ */
+export function buildProviderConfig(providerConfig, providerName, pluginDefaults = {}) {
+    const options = providerConfig || {};
+    // Expand environment variables in config values
+    const expandedOptions = {};
+    for (const [key, value] of Object.entries(options)) {
+        expandedOptions[key] = expandEnvVar(value);
+    }
+    // Check for known provider presets
+    const providerType = expandedOptions.provider || providerName;
+    const providerPreset = providerType ? getProvider(providerType) : null;
+    // Build redirect URI with provider name in path
+    const baseRedirectUri = expandedOptions.redirectUri || pluginDefaults.redirectUri || 'https://localhost:9953/oauth';
+    const redirectUri = baseRedirectUri
+        .replace('/oauth/callback', `/oauth/${providerName}/callback`)
+        .replace(/\/oauth$/, `/oauth/${providerName}/callback`);
+    // Merge configurations: plugin defaults -> preset -> options
+    const config = {
+        // Plugin defaults
+        scope: pluginDefaults.scope || 'openid profile email',
+        usernameClaim: pluginDefaults.usernameClaim || 'email',
+        defaultRole: pluginDefaults.defaultRole || 'user',
+        postLoginRedirect: pluginDefaults.postLoginRedirect || '/',
+        // Provider type
+        provider: 'generic',
+        // Required fields (will be overridden if present)
+        clientId: '',
+        clientSecret: '',
+        authorizationUrl: '',
+        tokenUrl: '',
+        userInfoUrl: '',
+        // Provider preset (if available)
+        ...providerPreset,
+        // Provider-specific options (with expanded env vars)
+        ...expandedOptions,
+        // Ensure redirect URI includes provider name (override any previous value)
+        redirectUri,
+    };
+    // Handle provider-specific configuration
+    if (providerPreset?.configure) {
+        let providerConfig;
+        switch (config.provider) {
+            case 'azure':
+                if (expandedOptions.tenantId) {
+                    providerConfig = providerPreset.configure(expandedOptions.tenantId);
+                }
+                break;
+            case 'auth0':
+            case 'okta':
+                if (expandedOptions.domain) {
+                    providerConfig = providerPreset.configure(expandedOptions.domain);
+                }
+                break;
+        }
+        if (providerConfig) {
+            Object.assign(config, providerConfig);
+        }
+    }
+    return config;
+}
+/**
+ * Extract plugin-level defaults from options
+ */
+export function extractPluginDefaults(options) {
+    const pluginDefaults = {};
+    // Copy all non-provider config to defaults, expanding environment variables
+    for (const [key, value] of Object.entries(options)) {
+        if (key !== 'providers' && key !== 'debug') {
+            pluginDefaults[key] = expandEnvVar(value);
+        }
+    }
+    return pluginDefaults;
+}
+/**
+ * Initialize OAuth providers from configuration
+ */
+export function initializeProviders(options, logger) {
+    const providers = {};
+    // Providers configuration is required
+    if (!options.providers || typeof options.providers !== 'object') {
+        return providers;
+    }
+    // Extract plugin-level defaults
+    const pluginDefaults = extractPluginDefaults(options);
+    logger?.debug?.('Plugin defaults:', pluginDefaults);
+    // Initialize each provider
+    for (const [providerName, providerConfig] of Object.entries(options.providers)) {
+        const config = buildProviderConfig(providerConfig, providerName, pluginDefaults);
+        // Check if this provider is properly configured
+        const requiredFields = ['clientId', 'clientSecret', 'authorizationUrl', 'tokenUrl', 'userInfoUrl'];
+        const missingFields = requiredFields.filter((key) => !config[key]);
+        if (missingFields.length > 0) {
+            logger?.warn?.(`OAuth provider '${providerName}' not configured. Missing: ${missingFields.join(', ')}`);
+            continue;
+        }
+        try {
+            const provider = new OAuthProvider(config, logger);
+            providers[providerName] = { provider, config };
+            logger?.info?.(`OAuth provider '${providerName}' initialized (${config.provider})`);
+        }
+        catch (error) {
+            logger?.error?.(`Failed to initialize OAuth provider '${providerName}':`, error);
+        }
+    }
+    return providers;
+}
+//# sourceMappingURL=config.js.map

package/dist/lib/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,YAAY,CAAC,KAAU;IACtC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAChF,oCAAoC;QACpC,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,yDAAyD;QACzD,OAAO,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC;IAClD,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAClC,cAAmC,EACnC,YAAoB,EACpB,iBAA+C,EAAE;IAEjD,MAAM,OAAO,GAAG,cAAc,IAAI,EAAE,CAAC;IAErC,gDAAgD;IAChD,MAAM,eAAe,GAAwB,EAAE,CAAC;IAChD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,eAAe,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAED,mCAAmC;IACnC,MAAM,YAAY,GAAG,eAAe,CAAC,QAAQ,IAAI,YAAY,CAAC;IAC9D,MAAM,cAAc,GAAG,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEvE,gDAAgD;IAChD,MAAM,eAAe,GAAG,eAAe,CAAC,WAAW,IAAI,cAAc,CAAC,WAAW,IAAI,8BAA8B,CAAC;IACpH,MAAM,WAAW,GAAG,eAAe;SACjC,OAAO,CAAC,iBAAiB,EAAE,UAAU,YAAY,WAAW,CAAC;SAC7D,OAAO,CAAC,UAAU,EAAE,UAAU,YAAY,WAAW,CAAC,CAAC;IAEzD,6DAA6D;IAC7D,MAAM,MAAM,GAAwB;QACnC,kBAAkB;QAClB,KAAK,EAAE,cAAc,CAAC,KAAK,IAAI,sBAAsB;QACrD,aAAa,EAAE,cAAc,CAAC,aAAa,IAAI,OAAO;QACtD,WAAW,EAAE,cAAc,CAAC,WAAW,IAAI,MAAM;QACjD,iBAAiB,EAAE,cAAc,CAAC,iBAAiB,IAAI,GAAG;QAE1D,gBAAgB;QAChB,QAAQ,EAAE,SAAS;QAEnB,kDAAkD;QAClD,QAAQ,EAAE,EAAE;QACZ,YAAY,EAAE,EAAE;QAChB,gBAAgB,EAAE,EAAE;QACpB,QAAQ,EAAE,EAAE;QACZ,WAAW,EAAE,EAAE;QAEf,iCAAiC;QACjC,GAAG,cAAc;QAEjB,qDAAqD;QACrD,GAAG,eAAe;QAElB,2EAA2E;QAC3E,WAAW;KACX,CAAC;IAEF,yCAAyC;IACzC,IAAI,cAAc,EAAE,SAAS,EAAE,CAAC;QAC/B,IAAI,cAAc,CAAC;QAEnB,QAAQ,MAAM,CAAC,QAAQ,EAAE,CAAC;YACzB,KAAK,OAAO;gBACX,IAAI,eAAe,CAAC,QAAQ,EAAE,CAAC;oBAC9B,cAAc,GAAG,cAAc,CAAC,SAAS,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;gBACrE,CAAC;gBACD,MAAM;YACP,KAAK,OAAO,CAAC;YACb,KAAK,MAAM;gBACV,IAAI,eAAe,CAAC,MAAM,EAAE,CAAC;oBAC5B,cAAc,GAAG,cAAc,CAAC,SAAS,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;gBACnE,CAAC;gBACD,MAAM;QACR,CAAC;QAED,IAAI,cAAc,EAAE,CAAC;YACpB,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;QACvC,CAAC;IACF,CAAC;IAED,OAAO,MAAM,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAA0B;IAC/D,MAAM,cAAc,GAAiC,EAAE,CAAC;IAExD,4EAA4E;IAC5E,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,IAAI,GAAG,KAAK,WAAW,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YAC5C,cAAc,CAAC,GAAgC,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;QACxE,CAAC;IACF,CAAC;IAED,OAAO,cAAc,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,OAA0B,EAAE,MAAe;IAC9E,MAAM,SAAS,GAAqB,EAAE,CAAC;IAEvC,sCAAsC;IACtC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACjE,OAAO,SAAS,CAAC;IAClB,CAAC;IAED,gCAAgC;IAChC,MAAM,cAAc,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACtD,MAAM,EAAE,KAAK,EAAE,CAAC,kBAAkB,EAAE,cAAc,CAAC,CAAC;IAEpD,2BAA2B;IAC3B,KAAK,MAAM,CAAC,YAAY,EAAE,cAAc,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAChF,MAAM,MAAM,GAAG,mBAAmB,CAAC,cAAc,EAAE,YAAY,EAAE,cAAc,CAAC,CAAC;QAEjF,gDAAgD;QAChD,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,cAAc,EAAE,kBAAkB,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;QACnG,MAAM,aAAa,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,GAAgC,CAAC,CAAC,CAAC;QAEhG,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,EAAE,IAAI,EAAE,CAAC,mBAAmB,YAAY,8BAA8B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACxG,SAAS;QACV,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,QAAQ,GAAG,IAAI,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACnD,SAAS,CAAC,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;YAC/C,MAAM,EAAE,IAAI,EAAE,CAAC,mBAAmB,YAAY,kBAAkB,MAAM,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrF,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,EAAE,KAAK,EAAE,CAAC,wCAAwC,YAAY,IAAI,EAAE,KAAK,CAAC,CAAC;QAClF,CAAC;IACF,CAAC;IAED,OAAO,SAAS,CAAC;AAClB,CAAC"}

package/dist/lib/handlers.d.ts

@@ -0,0 +1,56 @@
+/**
+ * OAuth Endpoint Handlers
+ *
+ * Handler functions for OAuth authentication endpoints
+ */
+import type { RequestTarget } from 'harperdb';
+import type { Request, Logger, IOAuthProvider, OAuthProviderConfig } from '../types.ts';
+import type { HookManager } from './hookManager.ts';
+/**
+ * Sanitize a redirect parameter to prevent open redirect attacks
+ *
+ * Takes a user-provided redirect URL and extracts only the path portion,
+ * stripping any protocol, domain, or port information.
+ *
+ * Blocks dangerous protocols like javascript:, data:, vbscript:, and file:
+ * to prevent XSS and other injection attacks.
+ *
+ * @param redirectParam - User-provided redirect URL (may be absolute, relative, or protocol-relative)
+ * @returns Safe relative path (pathname + search + hash), or '/' if invalid
+ *
+ * @example
+ * sanitizeRedirect('https://evil.com/phish')  // '/phish'
+ * sanitizeRedirect('//evil.com/phish')        // '/phish'
+ * sanitizeRedirect('/dashboard')              // '/dashboard'
+ * sanitizeRedirect('javascript:alert(1)')     // '/'
+ * sanitizeRedirect('invalid')                 // '/'
+ */
+export declare function sanitizeRedirect(redirectParam: string): string;
+/**
+ * Handle OAuth login initiation
+ */
+export declare function handleLogin(request: Request, target: RequestTarget, provider: IOAuthProvider, config: OAuthProviderConfig, providerName: string, logger?: Logger): Promise<any>;
+/**
+ * Handle OAuth callback from provider
+ */
+export declare function handleCallback(request: Request, target: RequestTarget, provider: IOAuthProvider, config: OAuthProviderConfig, hookManager: HookManager, providerName: string, logger?: Logger): Promise<any>;
+/**
+ * Clear OAuth session data and log out the user
+ * Shared function for explicit logout and automatic logout on token expiration
+ *
+ * Deletes the session record from the hdb_session table, completely removing it
+ * rather than just clearing the user field. This ensures no orphaned sessions remain.
+ */
+export declare function clearOAuthSession(session: any, logger?: Logger): Promise<void>;
+/**
+ * Handle user logout
+ */
+export declare function handleLogout(request: Request, hookManager: HookManager, logger?: Logger): Promise<any>;
+/**
+ * Get current user info
+ */
+export declare function handleUserInfo(request: Request, tokenRefreshed?: boolean): Promise<any>;
+/**
+ * Serve OAuth test page
+ */
+export declare function handleTestPage(logger?: Logger): Promise<any>;

package/dist/lib/handlers.js

@@ -0,0 +1,386 @@
+/**
+ * OAuth Endpoint Handlers
+ *
+ * Handler functions for OAuth authentication endpoints
+ */
+import { readFile } from 'node:fs/promises';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+/**
+ * Sanitize a redirect parameter to prevent open redirect attacks
+ *
+ * Takes a user-provided redirect URL and extracts only the path portion,
+ * stripping any protocol, domain, or port information.
+ *
+ * Blocks dangerous protocols like javascript:, data:, vbscript:, and file:
+ * to prevent XSS and other injection attacks.
+ *
+ * @param redirectParam - User-provided redirect URL (may be absolute, relative, or protocol-relative)
+ * @returns Safe relative path (pathname + search + hash), or '/' if invalid
+ *
+ * @example
+ * sanitizeRedirect('https://evil.com/phish')  // '/phish'
+ * sanitizeRedirect('//evil.com/phish')        // '/phish'
+ * sanitizeRedirect('/dashboard')              // '/dashboard'
+ * sanitizeRedirect('javascript:alert(1)')     // '/'
+ * sanitizeRedirect('invalid')                 // '/'
+ */
+export function sanitizeRedirect(redirectParam) {
+    try {
+        const url = new URL(redirectParam, 'http://localhost');
+        // Block dangerous protocols
+        // These protocols can be used for XSS, file access, or other attacks
+        const dangerousProtocols = ['javascript:', 'data:', 'vbscript:', 'file:'];
+        if (dangerousProtocols.some((proto) => url.protocol === proto)) {
+            return '/';
+        }
+        const sanitized = url.pathname + url.search + url.hash;
+        // Additional validation: result must start with /
+        if (!sanitized.startsWith('/')) {
+            return '/';
+        }
+        return sanitized;
+    }
+    catch (error) {
+        // Invalid URL - return safe default
+        return '/';
+    }
+}
+/**
+ * Build a safe error redirect URL
+ *
+ * Sanitizes the redirect path, then appends error query params using the URL API
+ * so params are always placed before any hash fragment.
+ */
+function buildErrorRedirect(rawUrl, params) {
+    const safePath = sanitizeRedirect(rawUrl);
+    const url = new URL(safePath, 'http://localhost');
+    for (const [key, value] of Object.entries(params)) {
+        url.searchParams.set(key, value);
+    }
+    return url.pathname + url.search + url.hash;
+}
+/**
+ * Handle OAuth login initiation
+ */
+export async function handleLogin(request, target, provider, config, providerName, logger) {
+    // Determine redirect URL: query param > referer header > config default
+    let redirectParam = target.get?.('redirect');
+    // Sanitize redirect parameter to prevent open redirect attacks
+    if (redirectParam) {
+        redirectParam = sanitizeRedirect(redirectParam);
+    }
+    const referer = request.headers?.referer ? sanitizeRedirect(request.headers.referer) : undefined;
+    const originalUrl = redirectParam || referer || config.postLoginRedirect || '/';
+    // Generate CSRF token with metadata
+    // Bind token to provider to prevent cross-provider CSRF attacks
+    const csrfToken = await provider.generateCSRFToken({
+        originalUrl,
+        sessionId: request.session?.id,
+        providerName, // Bind state token to this provider
+    });
+    // Build authorization URL with CSRF token as state parameter
+    const authUrl = provider.getAuthorizationUrl(csrfToken, config.redirectUri || '');
+    logger?.info?.(`OAuth login initiated for session: ${request.session?.id}`);
+    return {
+        status: 302,
+        headers: {
+            Location: authUrl,
+        },
+    };
+}
+/**
+ * Handle OAuth callback from provider
+ */
+export async function handleCallback(request, target, provider, config, hookManager, providerName, logger) {
+    // Get query parameters from target
+    const code = target.get?.('code');
+    const state = target.get?.('state');
+    const error = target.get?.('error');
+    const errorDescription = target.get?.('error_description');
+    // Handle OAuth errors from provider
+    if (error) {
+        logger?.error?.(`OAuth error: ${error} - ${errorDescription}`);
+        const errorUrl = buildErrorRedirect(config.postLoginRedirect || '/', { error: 'oauth_failed', reason: error });
+        return {
+            status: 302,
+            headers: {
+                Location: errorUrl,
+            },
+        };
+    }
+    // Validate parameters
+    if (!code || !state) {
+        logger?.warn?.('Missing required OAuth callback parameters');
+        const errorUrl = buildErrorRedirect(config.postLoginRedirect || '/', { error: 'invalid_request' });
+        return {
+            status: 302,
+            headers: {
+                Location: errorUrl,
+            },
+        };
+    }
+    // Verify CSRF token
+    const tokenData = await provider.verifyCSRFToken(state);
+    if (!tokenData) {
+        logger?.warn?.('Invalid or expired CSRF token');
+        // Redirect back to login with error parameter
+        const loginUrl = `/oauth/${providerName}/login?error=session_expired`;
+        return {
+            status: 302,
+            headers: {
+                Location: loginUrl,
+            },
+        };
+    }
+    // Verify state token was issued for THIS provider (prevents cross-provider attacks)
+    if (tokenData.providerName !== providerName) {
+        logger?.warn?.(`State token provider mismatch: token issued for '${tokenData.providerName}', callback for '${providerName}'`);
+        // This could be an attack - redirect back to original URL with error
+        // Do NOT redirect to login endpoint as that would restart OAuth flow
+        const errorUrl = buildErrorRedirect(tokenData.originalUrl || config.postLoginRedirect || '/', {
+            error: 'auth_failed',
+            reason: 'csrf',
+        });
+        return {
+            status: 302,
+            headers: {
+                Location: errorUrl,
+            },
+        };
+    }
+    try {
+        // Exchange code for tokens
+        const tokenResponse = await provider.exchangeCodeForToken(code, config.redirectUri || '');
+        // Verify ID token if present (OIDC flow)
+        let idTokenClaims = null;
+        if (tokenResponse.id_token) {
+            try {
+                idTokenClaims = provider.verifyIdToken ? await provider.verifyIdToken(tokenResponse.id_token) : null;
+                logger?.info?.('ID token verified successfully');
+            }
+            catch (error) {
+                // Log verification failure but continue with userinfo endpoint
+                logger?.warn?.('ID token verification failed, falling back to userinfo endpoint:', error.message);
+            }
+        }
+        // Get user info (will use ID token claims if available and verified)
+        const userInfo = await provider.getUserInfo(tokenResponse.access_token, idTokenClaims);
+        // Map to Harper user
+        const user = provider.mapUserToHarper(userInfo);
+        // Call onLogin hook before storing session
+        // This allows user provisioning plugins to create/update user records
+        // Pass providerName (registry key) not config.provider (provider type) for multi-tenant support
+        const hookData = await hookManager.callOnLogin(user, tokenResponse, request.session, request, providerName);
+        // Store in session if available
+        if (request.session) {
+            // Calculate token expiration and refresh thresholds
+            // For providers that don't return expires_in (like GitHub), tokens don't expire
+            // so we don't set expiration/refresh thresholds to avoid premature session cleanup
+            const now = Date.now();
+            let expiresAt;
+            let refreshThreshold;
+            if (tokenResponse.expires_in) {
+                // Token has expiration - calculate thresholds
+                const expiresIn = tokenResponse.expires_in;
+                expiresAt = now + expiresIn * 1000;
+                refreshThreshold = now + expiresIn * 800; // Refresh at 80% of lifetime
+            }
+            // else: No expires_in means token doesn't expire (e.g., GitHub)
+            // Leave expiresAt and refreshThreshold undefined so middleware doesn't try to refresh
+            // Prepare session data
+            const sessionData = {
+                user: hookData?.user || user.username, // Use hook's user if provided, otherwise OAuth username
+                oauthUser: user, // Store full OAuth user object separately
+                oauth: {
+                    provider: providerName, // Config key (backwards compatible - e.g., 'my-custom-github', 'production-okta')
+                    providerConfigId: providerName, // Config key/ID (clearer naming for new code)
+                    providerType: config.provider, // Provider type (e.g., 'github', 'okta')
+                    accessToken: tokenResponse.access_token,
+                    refreshToken: tokenResponse.refresh_token,
+                    expiresAt,
+                    refreshThreshold,
+                    scope: tokenResponse.scope,
+                    tokenType: tokenResponse.token_type || 'Bearer',
+                    lastRefreshed: now,
+                },
+            };
+            // Merge remaining hook data into session if provided (excluding 'user' since we already used it)
+            if (hookData) {
+                // eslint-disable-next-line @typescript-eslint/no-unused-vars, sonarjs/no-unused-vars
+                const { user, ...remainingHookData } = hookData;
+                Object.assign(sessionData, remainingHookData);
+            }
+            // Store user info and OAuth metadata in session
+            if (typeof request.session.update === 'function') {
+                await request.session.update(sessionData);
+            }
+            else {
+                Object.assign(request.session, sessionData);
+            }
+            logger?.info?.(`OAuth login successful for user: ${user.username}${tokenResponse.expires_in ? `, token expires in ${tokenResponse.expires_in}s` : ', token does not expire'}`);
+        }
+        else {
+            logger?.warn?.('No session available for OAuth user');
+        }
+        // Redirect to original URL or default (sanitize to prevent open redirect)
+        return {
+            status: 302,
+            headers: {
+                Location: sanitizeRedirect(tokenData.originalUrl || config.postLoginRedirect || '/'),
+            },
+        };
+    }
+    catch (error) {
+        logger?.error?.('OAuth callback error:', error);
+        // Use a safe, generic reason code — details are in the server log
+        const message = error.message || '';
+        let reason = 'unknown';
+        if (message.startsWith('Token exchange failed'))
+            reason = 'token_exchange';
+        else if (message.includes('claim'))
+            reason = 'user_mapping';
+        else if (message.includes('user info') || message.includes('userinfo'))
+            reason = 'user_info';
+        else if (message.includes('hook') || message.includes('onLogin'))
+            reason = 'login_hook';
+        const errorUrl = buildErrorRedirect(tokenData.originalUrl || config.postLoginRedirect || '/', {
+            error: 'auth_failed',
+            reason,
+        });
+        return {
+            status: 302,
+            headers: {
+                Location: errorUrl,
+            },
+        };
+    }
+}
+/**
+ * Clear OAuth session data and log out the user
+ * Shared function for explicit logout and automatic logout on token expiration
+ *
+ * Deletes the session record from the hdb_session table, completely removing it
+ * rather than just clearing the user field. This ensures no orphaned sessions remain.
+ */
+export async function clearOAuthSession(session, logger) {
+    if (!session)
+        return;
+    // Delete the session record from the hdb_session table
+    // This completely removes the session on logout, rather than just nulling the user field
+    if (typeof session.delete === 'function') {
+        await session.delete(session.id);
+    }
+    else {
+        // Fallback for sessions without delete method - clear in-memory
+        session.user = null;
+        delete session.oauth;
+        delete session.oauthUser;
+    }
+    logger?.info?.('OAuth session cleared');
+}
+/**
+ * Handle user logout
+ */
+export async function handleLogout(request, hookManager, logger) {
+    // Call onLogout hook before clearing session
+    await hookManager.callOnLogout(request.session, request);
+    // Clear the OAuth session
+    await clearOAuthSession(request.session, logger);
+    return {
+        status: 200,
+        body: { message: 'Logged out successfully' },
+    };
+}
+/**
+ * Get current user info
+ */
+export async function handleUserInfo(request, tokenRefreshed = false) {
+    // Add debug logging
+    if (!request) {
+        return {
+            status: 500,
+            body: { error: 'Request object not provided' },
+        };
+    }
+    // Check for OAuth user in session first, then Harper user
+    const oauthUser = request?.session?.oauthUser;
+    const oauthMetadata = request?.session?.oauth;
+    const username = request?.user || request?.session?.user;
+    if (!username && !oauthUser) {
+        return {
+            status: 401,
+            body: {
+                authenticated: false,
+                message: 'Not authenticated',
+            },
+        };
+    }
+    // If we have OAuth user details, use those
+    if (oauthUser) {
+        return {
+            status: 200,
+            body: {
+                authenticated: true,
+                username: oauthUser.username,
+                role: oauthUser.role,
+                email: oauthUser.email,
+                name: oauthUser.name,
+                provider: oauthUser.provider,
+                // Include OAuth token status in debug mode
+                oauth: oauthMetadata
+                    ? {
+                        provider: oauthMetadata.provider,
+                        providerConfigId: oauthMetadata.providerConfigId,
+                        providerType: oauthMetadata.providerType,
+                        expiresAt: oauthMetadata.expiresAt,
+                        refreshThreshold: oauthMetadata.refreshThreshold,
+                        lastRefreshed: oauthMetadata.lastRefreshed,
+                        hasRefreshToken: !!oauthMetadata.refreshToken,
+                        tokenRefreshed,
+                    }
+                    : undefined,
+            },
+        };
+    }
+    // Fall back to Harper user - extract just the username string and role name
+    const usernameString = typeof username === 'string' ? username : username?.username;
+    const roleData = typeof username === 'object' ? username?.role : request?.user?.role;
+    // Extract role name - Harper roles can be objects with id/name or just strings
+    const roleName = typeof roleData === 'string' ? roleData : roleData?.id || roleData?.name || 'user';
+    return {
+        status: 200,
+        body: {
+            authenticated: true,
+            username: usernameString,
+            role: roleName,
+            email: null,
+            name: null,
+            provider: 'harper',
+        },
+    };
+}
+/**
+ * Serve OAuth test page
+ */
+export async function handleTestPage(logger) {
+    try {
+        const __dirname = dirname(fileURLToPath(import.meta.url));
+        const testHtml = await readFile(join(__dirname, '..', '..', 'assets', 'test.html'), 'utf8');
+        return {
+            status: 200,
+            headers: {
+                'Content-Type': 'text/html',
+            },
+            body: testHtml,
+        };
+    }
+    catch (error) {
+        logger?.error?.('Failed to load test page:', error);
+        return {
+            status: 500,
+            body: { error: 'Failed to load test page' },
+        };
+    }
+}
+//# sourceMappingURL=handlers.js.map

package/dist/lib/handlers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../../src/lib/handlers.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAKzC;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,gBAAgB,CAAC,aAAqB;IACrD,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAAC;QAEvD,4BAA4B;QAC5B,qEAAqE;QACrE,MAAM,kBAAkB,GAAG,CAAC,aAAa,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;QAC1E,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,KAAK,KAAK,CAAC,EAAE,CAAC;YAChE,OAAO,GAAG,CAAC;QACZ,CAAC;QAED,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC;QAEvD,kDAAkD;QAClD,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,GAAG,CAAC;QACZ,CAAC;QAED,OAAO,SAAS,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,oCAAoC;QACpC,OAAO,GAAG,CAAC;IACZ,CAAC;AACF,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,MAAc,EAAE,MAA8B;IACzE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;IAClD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QACnD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAChC,OAAgB,EAChB,MAAqB,EACrB,QAAwB,EACxB,MAA2B,EAC3B,YAAoB,EACpB,MAAe;IAEf,wEAAwE;IACxE,IAAI,aAAa,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC;IAE7C,+DAA+D;IAC/D,IAAI,aAAa,EAAE,CAAC;QACnB,aAAa,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACjG,MAAM,WAAW,GAAG,aAAa,IAAI,OAAO,IAAI,MAAM,CAAC,iBAAiB,IAAI,GAAG,CAAC;IAEhF,oCAAoC;IACpC,gEAAgE;IAChE,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,iBAAiB,CAAC;QAClD,WAAW;QACX,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE;QAC9B,YAAY,EAAE,oCAAoC;KAClD,CAAC,CAAC;IAEH,6DAA6D;IAC7D,MAAM,OAAO,GAAG,QAAQ,CAAC,mBAAmB,CAAC,SAAS,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IAElF,MAAM,EAAE,IAAI,EAAE,CAAC,sCAAsC,OAAO,CAAC,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;IAE5E,OAAO;QACN,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACR,QAAQ,EAAE,OAAO;SACjB;KACD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CACnC,OAAgB,EAChB,MAAqB,EACrB,QAAwB,EACxB,MAA2B,EAC3B,WAAwB,EACxB,YAAoB,EACpB,MAAe;IAEf,mCAAmC;IACnC,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;IAClC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC;IACpC,MAAM,gBAAgB,GAAG,MAAM,CAAC,GAAG,EAAE,CAAC,mBAAmB,CAAC,CAAC;IAE3D,oCAAoC;IACpC,IAAI,KAAK,EAAE,CAAC;QACX,MAAM,EAAE,KAAK,EAAE,CAAC,gBAAgB,KAAK,MAAM,gBAAgB,EAAE,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,iBAAiB,IAAI,GAAG,EAAE,EAAE,KAAK,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/G,OAAO;YACN,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACR,QAAQ,EAAE,QAAQ;aAClB;SACD,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACrB,MAAM,EAAE,IAAI,EAAE,CAAC,4CAA4C,CAAC,CAAC;QAC7D,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,iBAAiB,IAAI,GAAG,EAAE,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;QACnG,OAAO;YACN,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACR,QAAQ,EAAE,QAAQ;aAClB;SACD,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IACxD,IAAI,CAAC,SAAS,EAAE,CAAC;QAChB,MAAM,EAAE,IAAI,EAAE,CAAC,+BAA+B,CAAC,CAAC;QAChD,8CAA8C;QAC9C,MAAM,QAAQ,GAAG,UAAU,YAAY,8BAA8B,CAAC;QACtE,OAAO;YACN,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACR,QAAQ,EAAE,QAAQ;aAClB;SACD,CAAC;IACH,CAAC;IAED,oFAAoF;IACpF,IAAI,SAAS,CAAC,YAAY,KAAK,YAAY,EAAE,CAAC;QAC7C,MAAM,EAAE,IAAI,EAAE,CACb,oDAAoD,SAAS,CAAC,YAAY,oBAAoB,YAAY,GAAG,CAC7G,CAAC;QACF,qEAAqE;QACrE,qEAAqE;QACrE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,SAAS,CAAC,WAAW,IAAI,MAAM,CAAC,iBAAiB,IAAI,GAAG,EAAE;YAC7F,KAAK,EAAE,aAAa;YACpB,MAAM,EAAE,MAAM;SACd,CAAC,CAAC;QACH,OAAO;YACN,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACR,QAAQ,EAAE,QAAQ;aAClB;SACD,CAAC;IACH,CAAC;IAED,IAAI,CAAC;QACJ,2BAA2B;QAC3B,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,oBAAoB,CAAC,IAAI,EAAE,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAE1F,yCAAyC;QACzC,IAAI,aAAa,GAAG,IAAI,CAAC;QACzB,IAAI,aAAa,CAAC,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACJ,aAAa,GAAG,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,aAAa,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBACrG,MAAM,EAAE,IAAI,EAAE,CAAC,gCAAgC,CAAC,CAAC;YAClD,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAChB,+DAA+D;gBAC/D,MAAM,EAAE,IAAI,EAAE,CAAC,kEAAkE,EAAG,KAAe,CAAC,OAAO,CAAC,CAAC;YAC9G,CAAC;QACF,CAAC;QAED,qEAAqE;QACrE,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,aAAa,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC;QAEvF,qBAAqB;QACrB,MAAM,IAAI,GAAG,QAAQ,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QAEhD,2CAA2C;QAC3C,sEAAsE;QACtE,gGAAgG;QAChG,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,WAAW,CAAC,IAAI,EAAE,aAAa,EAAE,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QAE5G,gCAAgC;QAChC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACrB,oDAAoD;YACpD,gFAAgF;YAChF,mFAAmF;YACnF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,SAA6B,CAAC;YAClC,IAAI,gBAAoC,CAAC;YAEzC,IAAI,aAAa,CAAC,UAAU,EAAE,CAAC;gBAC9B,8CAA8C;gBAC9C,MAAM,SAAS,GAAG,aAAa,CAAC,UAAU,CAAC;gBAC3C,SAAS,GAAG,GAAG,GAAG,SAAS,GAAG,IAAI,CAAC;gBACnC,gBAAgB,GAAG,GAAG,GAAG,SAAS,GAAG,GAAG,CAAC,CAAC,6BAA6B;YACxE,CAAC;YACD,gEAAgE;YAChE,sFAAsF;YAEtF,uBAAuB;YACvB,MAAM,WAAW,GAAQ;gBACxB,IAAI,EAAE,QAAQ,EAAE,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,wDAAwD;gBAC/F,SAAS,EAAE,IAAI,EAAE,0CAA0C;gBAC3D,KAAK,EAAE;oBACN,QAAQ,EAAE,YAAY,EAAE,kFAAkF;oBAC1G,gBAAgB,EAAE,YAAY,EAAE,8CAA8C;oBAC9E,YAAY,EAAE,MAAM,CAAC,QAAQ,EAAE,yCAAyC;oBACxE,WAAW,EAAE,aAAa,CAAC,YAAY;oBACvC,YAAY,EAAE,aAAa,CAAC,aAAa;oBACzC,SAAS;oBACT,gBAAgB;oBAChB,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,SAAS,EAAE,aAAa,CAAC,UAAU,IAAI,QAAQ;oBAC/C,aAAa,EAAE,GAAG;iBAClB;aACD,CAAC;YAEF,iGAAiG;YACjG,IAAI,QAAQ,EAAE,CAAC;gBACd,qFAAqF;gBACrF,MAAM,EAAE,IAAI,EAAE,GAAG,iBAAiB,EAAE,GAAG,QAAQ,CAAC;gBAChD,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,iBAAiB,CAAC,CAAC;YAC/C,CAAC;YAED,gDAAgD;YAChD,IAAI,OAAO,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;gBAClD,MAAM,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACP,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YAC7C,CAAC;YAED,MAAM,EAAE,IAAI,EAAE,CACb,oCAAoC,IAAI,CAAC,QAAQ,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC,sBAAsB,aAAa,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,yBAAyB,EAAE,CAC9J,CAAC;QACH,CAAC;aAAM,CAAC;YACP,MAAM,EAAE,IAAI,EAAE,CAAC,qCAAqC,CAAC,CAAC;QACvD,CAAC;QAED,0EAA0E;QAC1E,OAAO;YACN,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACR,QAAQ,EAAE,gBAAgB,CAAC,SAAS,CAAC,WAAW,IAAI,MAAM,CAAC,iBAAiB,IAAI,GAAG,CAAC;aACpF;SACD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,MAAM,EAAE,KAAK,EAAE,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;QAChD,kEAAkE;QAClE,MAAM,OAAO,GAAI,KAAe,CAAC,OAAO,IAAI,EAAE,CAAC;QAC/C,IAAI,MAAM,GAAG,SAAS,CAAC;QACvB,IAAI,OAAO,CAAC,UAAU,CAAC,uBAAuB,CAAC;YAAE,MAAM,GAAG,gBAAgB,CAAC;aACtE,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,MAAM,GAAG,cAAc,CAAC;aACvD,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,MAAM,GAAG,WAAW,CAAC;aACxF,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,MAAM,GAAG,YAAY,CAAC;QACxF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,SAAS,CAAC,WAAW,IAAI,MAAM,CAAC,iBAAiB,IAAI,GAAG,EAAE;YAC7F,KAAK,EAAE,aAAa;YACpB,MAAM;SACN,CAAC,CAAC;QACH,OAAO;YACN,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACR,QAAQ,EAAE,QAAQ;aAClB;SACD,CAAC;IACH,CAAC;AACF,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAAY,EAAE,MAAe;IACpE,IAAI,CAAC,OAAO;QAAE,OAAO;IAErB,uDAAuD;IACvD,yFAAyF;IACzF,IAAI,OAAO,OAAO,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QAC1C,MAAM,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAClC,CAAC;SAAM,CAAC;QACP,gEAAgE;QAChE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;QACpB,OAAO,OAAO,CAAC,KAAK,CAAC;QACrB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC1B,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,CAAC,uBAAuB,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAgB,EAAE,WAAwB,EAAE,MAAe;IAC7F,6CAA6C;IAC7C,MAAM,WAAW,CAAC,YAAY,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAEzD,0BAA0B;IAC1B,MAAM,iBAAiB,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAEjD,OAAO;QACN,MAAM,EAAE,GAAG;QACX,IAAI,EAAE,EAAE,OAAO,EAAE,yBAAyB,EAAE;KAC5C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAgB,EAAE,cAAc,GAAG,KAAK;IAC5E,oBAAoB;IACpB,IAAI,CAAC,OAAO,EAAE,CAAC;QACd,OAAO;YACN,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,EAAE,KAAK,EAAE,6BAA6B,EAAE;SAC9C,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,MAAM,SAAS,GAAG,OAAO,EAAE,OAAO,EAAE,SAAS,CAAC;IAC9C,MAAM,aAAa,GAAG,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC;IAC9C,MAAM,QAAQ,GAAG,OAAO,EAAE,IAAI,IAAI,OAAO,EAAE,OAAO,EAAE,IAAI,CAAC;IAEzD,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,OAAO;YACN,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACL,aAAa,EAAE,KAAK;gBACpB,OAAO,EAAE,mBAAmB;aAC5B;SACD,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,IAAI,SAAS,EAAE,CAAC;QACf,OAAO;YACN,MAAM,EAAE,GAAG;YACX,IAAI,EAAE;gBACL,aAAa,EAAE,IAAI;gBACnB,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,KAAK,EAAE,SAAS,CAAC,KAAK;gBACtB,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,2CAA2C;gBAC3C,KAAK,EAAE,aAAa;oBACnB,CAAC,CAAC;wBACA,QAAQ,EAAE,aAAa,CAAC,QAAQ;wBAChC,gBAAgB,EAAE,aAAa,CAAC,gBAAgB;wBAChD,YAAY,EAAE,aAAa,CAAC,YAAY;wBACxC,SAAS,EAAE,aAAa,CAAC,SAAS;wBAClC,gBAAgB,EAAE,aAAa,CAAC,gBAAgB;wBAChD,aAAa,EAAE,aAAa,CAAC,aAAa;wBAC1C,eAAe,EAAE,CAAC,CAAC,aAAa,CAAC,YAAY;wBAC7C,cAAc;qBACd;oBACF,CAAC,CAAC,SAAS;aACZ;SACD,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,MAAM,cAAc,GAAG,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAE,QAAgB,EAAE,QAAQ,CAAC;IAC7F,MAAM,QAAQ,GAAG,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAE,QAAgB,EAAE,IAAI,CAAC,CAAC,CAAE,OAAe,EAAE,IAAI,EAAE,IAAI,CAAC;IAEvG,+EAA+E;IAC/E,MAAM,QAAQ,GAAG,OAAO,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,IAAI,QAAQ,EAAE,IAAI,IAAI,MAAM,CAAC;IAEpG,OAAO;QACN,MAAM,EAAE,GAAG;QACX,IAAI,EAAE;YACL,aAAa,EAAE,IAAI;YACnB,QAAQ,EAAE,cAAc;YACxB,IAAI,EAAE,QAAQ;YACd,KAAK,EAAE,IAAI;YACX,IAAI,EAAE,IAAI;YACV,QAAQ,EAAE,QAAQ;SAClB;KACD,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAe;IACnD,IAAI,CAAC;QACJ,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,CAAC,EAAE,MAAM,CAAC,CAAC;QAE5F,OAAO;YACN,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACR,cAAc,EAAE,WAAW;aAC3B;YACD,IAAI,EAAE,QAAQ;SACd,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,MAAM,EAAE,KAAK,EAAE,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;QACpD,OAAO;YACN,MAAM,EAAE,GAAG;YACX,IAAI,EAAE,EAAE,KAAK,EAAE,0BAA0B,EAAE;SAC3C,CAAC;IACH,CAAC;AACF,CAAC"}

package/dist/lib/hookManager.d.ts

@@ -0,0 +1,52 @@
+/**
+ * OAuth Hook Manager
+ *
+ * Manages loading and calling lifecycle hooks for the OAuth plugin
+ */
+import type { OAuthHooks, OAuthUser, TokenResponse, Logger, OAuthProviderConfig } from '../types.ts';
+/**
+ * Hook Manager
+ * Loads and executes OAuth lifecycle hooks
+ */
+export declare class HookManager {
+    private hooks;
+    private logger?;
+    constructor(logger?: Logger);
+    /**
+     * Register hooks programmatically
+     * Allows applications to register hooks directly without using config
+     */
+    register(hooks: OAuthHooks): void;
+    /**
+     * Call onLogin hook
+     */
+    callOnLogin(oauthUser: OAuthUser, tokenResponse: TokenResponse, session: any, request: any, provider: string): Promise<Record<string, any> | void>;
+    /**
+     * Call onLogout hook
+     */
+    callOnLogout(session: any, request: any): Promise<void>;
+    /**
+     * Call onTokenRefresh hook
+     */
+    callOnTokenRefresh(session: any, refreshed: boolean, request?: any): Promise<void>;
+    /**
+     * Check if a specific hook is registered
+     */
+    hasHook(hookName: keyof OAuthHooks): boolean;
+    /**
+     * Check if any hooks are loaded
+     */
+    hasHooks(): boolean;
+    /**
+     * Call onResolveProvider hook
+     *
+     * Called when a provider is not found in the static registry.
+     * Allows applications to dynamically resolve provider configurations.
+     *
+     * @param providerName - Provider name from URL path (e.g., "okta-org_abc123")
+     * @param logger - Optional logger instance
+     * @returns Provider configuration or null if not found
+     * @throws Error if resolution fails
+     */
+    callResolveProvider(providerName: string, logger?: Logger): Promise<OAuthProviderConfig | null>;
+}